[mirotalk] - #139 add xss sanitize on server side
This commit is contained in:
Miroslav Pejic
+36
-12
@@ -22,6 +22,7 @@ dependencies: {
|
||||
socket.io : https://www.npmjs.com/package/socket.io
|
||||
swagger : https://www.npmjs.com/package/swagger-ui-express
|
||||
uuid : https://www.npmjs.com/package/uuid
|
||||
xss : https://www.npmjs.com/package/xss
|
||||
yamljs : https://www.npmjs.com/package/yamljs
|
||||
}
|
||||
*/
|
||||
@@ -35,7 +36,7 @@ dependencies: {
|
||||
* @license For commercial use or closed source, contact us at license.mirotalk@gmail.com or purchase directly from CodeCanyon
|
||||
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
|
||||
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
||||
* @version 1.0.1
|
||||
* @version 1.0.2
|
||||
*
|
||||
*/
|
||||
|
||||
@@ -50,6 +51,7 @@ const compression = require('compression');
|
||||
const express = require('express');
|
||||
const cors = require('cors');
|
||||
const path = require('path');
|
||||
const checkXSS = require('./xss.js');
|
||||
const app = express();
|
||||
|
||||
const Logs = require('./logs');
|
||||
@@ -496,7 +498,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* On peer join
|
||||
*/
|
||||
socket.on('join', async (config) => {
|
||||
socket.on('join', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
// log.debug('Join room', config);
|
||||
log.debug('[' + socket.id + '] join ', config);
|
||||
|
||||
@@ -593,7 +597,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Handle Room action
|
||||
*/
|
||||
socket.on('roomAction', async (config) => {
|
||||
socket.on('roomAction', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
//log.debug('[' + socket.id + '] Room action:', config);
|
||||
let room_is_locked = false;
|
||||
let room_id = config.room_id;
|
||||
@@ -638,7 +644,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Relay NAME to peers
|
||||
*/
|
||||
socket.on('peerName', async (config) => {
|
||||
socket.on('peerName', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
// log.debug('Peer name', config);
|
||||
let room_id = config.room_id;
|
||||
let peer_name_old = config.peer_name_old;
|
||||
@@ -668,7 +676,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Relay Audio Video Hand ... Status to peers
|
||||
*/
|
||||
socket.on('peerStatus', async (config) => {
|
||||
socket.on('peerStatus', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
// log.debug('Peer status', config);
|
||||
let room_id = config.room_id;
|
||||
let peer_name = config.peer_name;
|
||||
@@ -721,7 +731,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Relay actions to peers or specific peer in the same room
|
||||
*/
|
||||
socket.on('peerAction', async (config) => {
|
||||
socket.on('peerAction', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
// log.debug('Peer action', config);
|
||||
let room_id = config.room_id;
|
||||
let peer_id = config.peer_id;
|
||||
@@ -759,7 +771,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Relay Kick out peer from room
|
||||
*/
|
||||
socket.on('kickOut', async (config) => {
|
||||
socket.on('kickOut', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
let room_id = config.room_id;
|
||||
let peer_id = config.peer_id;
|
||||
let peer_name = config.peer_name;
|
||||
@@ -774,7 +788,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Relay File info
|
||||
*/
|
||||
socket.on('fileInfo', async (config) => {
|
||||
socket.on('fileInfo', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
// log.debug('File info', config);
|
||||
let room_id = config.room_id;
|
||||
let peer_name = config.peer_name;
|
||||
@@ -807,7 +823,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Abort file sharing
|
||||
*/
|
||||
socket.on('fileAbort', async (config) => {
|
||||
socket.on('fileAbort', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
let room_id = config.room_id;
|
||||
let peer_name = config.peer_name;
|
||||
|
||||
@@ -818,7 +836,9 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Relay video player action
|
||||
*/
|
||||
socket.on('videoPlayer', async (config) => {
|
||||
socket.on('videoPlayer', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
// log.debug('Video player', config);
|
||||
let room_id = config.room_id;
|
||||
let peer_name = config.peer_name;
|
||||
@@ -855,13 +875,17 @@ io.sockets.on('connect', async (socket) => {
|
||||
/**
|
||||
* Whiteboard actions for all user in the same room
|
||||
*/
|
||||
socket.on('wbCanvasToJson', async (config) => {
|
||||
socket.on('wbCanvasToJson', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
// log.debug('Whiteboard send canvas', config);
|
||||
let room_id = config.room_id;
|
||||
await sendToRoom(room_id, socket.id, 'wbCanvasToJson', config);
|
||||
});
|
||||
|
||||
socket.on('whiteboardAction', async (config) => {
|
||||
socket.on('whiteboardAction', async (cfg) => {
|
||||
// Prevent XSS injection
|
||||
const config = checkXSS(cfg);
|
||||
log.debug('Whiteboard', config);
|
||||
let room_id = config.room_id;
|
||||
await sendToRoom(room_id, socket.id, 'whiteboardAction', config);
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
'use strict';
|
||||
|
||||
const xss = require('xss');
|
||||
|
||||
/**
|
||||
* Prevent XSS injection by client side
|
||||
* @param {object} cfg
|
||||
* @returns sanitized object
|
||||
*/
|
||||
const checkXSS = (cfg) => {
|
||||
// Object to string and remove XSS injection
|
||||
const config = xss(JSON.stringify(cfg));
|
||||
// String sanitized to object
|
||||
return JSON.parse(config);
|
||||
};
|
||||
|
||||
module.exports = checkXSS;
|
||||
+4
-3
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "mirotalk",
|
||||
"version": "1.0.1",
|
||||
"version": "1.0.2",
|
||||
"description": "A free WebRTC browser-based video call",
|
||||
"main": "server.js",
|
||||
"scripts": {
|
||||
@@ -23,8 +23,8 @@
|
||||
"license": "AGPL-3.0",
|
||||
"homepage": "https://github.com/miroslavpejic85/mirotalk",
|
||||
"dependencies": {
|
||||
"@sentry/integrations": "^7.37.1",
|
||||
"@sentry/node": "^7.37.1",
|
||||
"@sentry/integrations": "^7.38.0",
|
||||
"@sentry/node": "^7.38.0",
|
||||
"body-parser": "^1.20.1",
|
||||
"colors": "^1.4.0",
|
||||
"compression": "^1.7.4",
|
||||
@@ -37,6 +37,7 @@
|
||||
"socket.io": "^4.6.0",
|
||||
"swagger-ui-express": "^4.6.0",
|
||||
"uuid": "9.0.0",
|
||||
"xss": "^1.0.14",
|
||||
"yamljs": "^0.3.0"
|
||||
},
|
||||
"devDependencies": {
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@
|
||||
* @license For commercial use or closed source, contact us at license.mirotalk@gmail.com or purchase directly from CodeCanyon
|
||||
* @license CodeCanyon: https://codecanyon.net/item/mirotalk-p2p-webrtc-realtime-video-conferences/38376661
|
||||
* @author Miroslav Pejic - miroslav.pejic.85@gmail.com
|
||||
* @version 1.0.1
|
||||
* @version 1.0.2
|
||||
*
|
||||
*/
|
||||
|
||||
|
||||
Reference in New Issue
Block a user